On 24/03/2017 10:56, Gervase Markham wrote:
On 07/03/17 11:37, Gervase Markham wrote:
Here are some proposals for policy change. Please do comment on these or
suggest others.
I can report that at the CAB Forum face-to-face in Raleigh, NC, USA this
week, there was broad consensus to draw up a ballot which prevents CAs
from (to summarise broadly) outsourcing BR 3.2.2.4 and 3.2.2.5 - domain
name and IP address ownership - validation to third parties, and that
this restriction would be enacted at the level of the BRs, not the level
of Mozilla policy. So I will be working with interested parties from the
Forum to draft some wording that achieves that, as there are various
cases to consider to make sure we don't forbid certain common and secure
activities by accident.
One common scenario that a new wording should allow is a "fully
outsourced CA", where all the technical activities, including CA
private key storage, CRL/OCSP distribution, ensuring policy compliance
and domain/IP validation are outsourced to a single entity which is
fully audited as a CA operator, while the entity nominally responsible
for the CA acts more like an RA or reseller.
That "CA operator" might be an actual related CA in good standing, or
might be a professional company created solely for doing this job for
other CAs (such as the private companies that run some government CAs
around the world).
For the "fully outsourced CA" scenario, the things that a normal CA
cannot outsource to a third party would in this case not be allowed to
be "insourced" from the "CA operator" to the nominally responsible
organization.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
